b"                   National Science Foundation \xe2\x80\xa2 Office of Inspector General\n                   4201 Wilson Boulevard, Suite I-1135, Arlington, Virginia 22230\n\n\nMEMORANDUM\n\n\nDATE:                  January 27, 2014\n\nTO:                    Dr. Cora B. Marrett\n                       Deputy Director\n                       National Science Foundation\n\nFROM:                  Dr. Brett M. Baker\n                       Assistant Inspector General for Audit\n\nSUBJECT:               Audit of NSF\xe2\x80\x99s Purchase Card Program, Report No. 14-2-006\n\nAttached is the final report on the subject audit. The report contains one finding on the\nneed to strengthen NSF\xe2\x80\x99s oversight of the purchase card program with three\nrecommendations.\n\nIn accordance with Office of Management and Budget Circular A-50, Audit Followup,\nplease provide a written corrective action plan within 60 days to address the report\nrecommendations. This corrective action plan should detail specific actions and milestone\ndates.\n\nWe appreciate the courtesies and assistance provided by so many NSF staff during the\nreview. If you have any questions, please contact Marie Maguire, Director of\nPerformance Audits, at (703) 292-5009.\n\nAttachment\n\ncc:            Allison Lerner                   Steven Strength\n               G. P. Peterson                   Susan Carnohan\n               Michael Van Woert                Marie Maguire\n               Cliff Gabriel                    Wendell Reid\n               Martha Rubenstein                Emily Franko\n               Jeffrey Lupis                    Karen Scott\n               Greg Steigerwald\n\x0cAudit of the National Science Foundation\xe2\x80\x99s\n         Purchase Card Program\n\n\n\n\n        National Science Foundation\n        Office of Inspector General\n\n              January 27, 2014\n               OIG 14-2-006\n\n\n\n\n                                      TM#13-P-1-002\n\x0cIntroduction\n\nThe National Science Foundation (NSF) participates in the General Services\nAdministration\xe2\x80\x99s (GSA) government-wide purchase card program, SmartPay. The\npurchase card program provides Federal agencies with a flexible and efficient means to\nquickly make authorized low dollar value and high volume purchases of general\nsupplies or services. JPMorgan Chase bank (JPMorgan Chase) provides the credit\ncards and banking services to NSF under GSA\xe2\x80\x99s SmartPay program.\n\nThe Government Charge Card Abuse Prevention Act of 2012 (the Charge Card Act),\nPublic Law 112-194, enacted in October 2012, requires all executive branch agencies to\nestablish and maintain specific safeguards and internal controls for the management of\npurchase cards. In addition, the Charge Card Act also establishes additional reporting\nand audit requirements relating to the agency purchase cards. On September 6, 2013,\nthe Office of Management and Budget (OMB) issued Memorandum M-13-21, which\nprovided further guidance to implement the Charge Card Act.\n\nThe Division of Acquisition and Cooperative Support (DACS) within NSF\xe2\x80\x99s Office of\nBudget, Finance & Award Management is primarily responsible for administering the\npurchase card program. At NSF, the primary participants in the program are the:\n\n    (1) Agency Program Coordinator (APC) in DACS who has responsibility for both\n        overall administrative functions relating to the program and general oversight of\n        all purchase cardholders;\n    (2) purchase cardholders appointed to use the purchase card within their NSF\n        organizational unit; and\n    (3) approving officials who pre-approve the purchase card use of their assigned\n        cardholder(s), monitor account activity, and review cardholders\xe2\x80\x99 monthly account\n        statement.\n\nFrom April 1, 2010 through March 31, 2013, 233 NSF employees used purchase cards\nto make approximately 34,300 transactions totaling almost $17 million. DACS reported\nthat as of February 1, 2013, 272 purchase cards were assigned to 186 employees and\nthere were 96 approving officials.\n\nThe last OIG audit of NSF\xe2\x80\x99s purchase card program, performed in 2002 1, found irregular\ntransactions, including potential split purchases, payment of sales taxes, and the\npurchase of prohibited items such as travel.\n\n\n\n\n1\n Purchase Card Program Controls Need Strengthening, Audit Report No. 02-2-014, issued September\n30, 2002.\n\n                                                1\n\x0cResults of Audit\nNSF\xe2\x80\x99s controls to prevent and detect unauthorized purchases and its oversight of the\npurchase card program need strengthening. The control to cancel accounts when\ncardholders leave NSF was generally working. However, controls over preapprovals of\ntransactions and reviews of purchase card statements were not always followed. Also,\nagency-wide monitoring of the program and reviews of JPMorgan Chase reports\nshowing agency activity were not often performed. As a result, there was a risk that\ninappropriate or fraudulent transactions could occur and not be detected. We did\nidentify some inappropriate purchases and referred three cardholders\xe2\x80\x99 activity to our\nOffice of Investigations (OI) for investigation of possible fraud. As a result of one of\nthese investigations, a cardholder pleaded guilty in December 2013 to stealing more\nthan $94,000 by using his purchase card to buy electronics, music, and movies for\nhimself and his family.\n\nNSF recently made improvements in its oversight of the purchase card program,\nincluding updated guidance for the purchase card program in July 2013 and a new\nonline training course in August 2013. During fiscal year 2013, NSF management\ncommitted more resources to assist the APC to perform targeted reviews of purchase\ncard activity. DACS began using a contractor to test a sample of transactions. As most\nof these improvements occurred after our period under audit, we did not evaluate their\neffectiveness. However, a sustained commitment by management to strong oversight is\nneeded to ensure purchase card holders comply with Federal regulations and agency\npolicies, and to prevent and detect misuse of the purchase cards.\n\n\nOversight of NSF\xe2\x80\x99s Purchase Card Program Needs\nStrengthening\nNSF\xe2\x80\x99s internal controls to ensure that cardholders properly use purchase cards and\ncomply with Federal regulations as well as NSF policies and procedures need to be\nstrengthened and enforced. From our targeted, risk-based sample 2 of 508 transactions,\ntotaling $314,443 3 for 43 cardholders 4, we found the following control weaknesses.\n\n    Some purchases were not pre-approved.\n    There was no evidence of preapproval for 151 transactions totaling $76,877. These\n    unapproved purchases were made by 30 of the 43 cardholders tested. These 30\n    cardholders had between 1 and 21 unapproved transactions. Per both of NSF\xe2\x80\x99s\n\n2\n  See Appendix B: Objectives, Scope and Methodology for details on how we selected which transactions\nto test. Because we targeted our testing to the riskiest transactions, the sample is not representative of\nthe approximately 34,300 transactions in our population and the results should not be projected to the\nuniverse.\n3\n  This amount is the net of transactions tested, reflecting both charges and credits (refunds, adjustments,\netc.). All totals discussed in this report reflect net amounts.\n4\n  Includes 10 cardholders who no longer work for NSF.\n\n                                                    2\n\x0c    policies in effect during our audit period - the VISA Purchase Card Program\n    Handbook and Training Manual and the VISA U.S. Government Purchase Card\n    Guidance for Approving Officials, dated February 2004 - the approving official is\n    responsible for ensuring that transactions were authorized in advance of being made\n    by the cardholder.\n\n    Cardholders did not consistently maintain receipts or invoices for transactions, as\n    required.\n    Of the 43 cardholders tested, NSF could not provide support for 72 transactions\n    totaling $46,206 for 21 cardholders. For two former employees, NSF could not\n    locate documentation for any of their purchases. Both NSF policy and National\n    Archives and Records Administration regulations require that cardholders retain\n    records pertaining to purchase card transactions for 3 years after final payment to\n    the vendor.\n\n    There was no evidence of approving officials\xe2\x80\x99 review of some purchase card bank\n    statements.\n    Of the 508 transactions we tested, there was no evidence that the approving official\n    reviewed the bank statements for 191 transactions totaling $124,747. Furthermore,\n    32 transactions totaling $27,163 were not reviewed within 60 days of the billing date.\n    These 223 transactions were made by 37 5 of the 43 cardholders tested. For one\n    cardholder we tested, some bank statements were in unopened envelopes. Per\n    NSF\xe2\x80\x99s policies, the approving official should approve the cardholder\xe2\x80\x99s monthly\n    statement to ensure that the statement and supporting documentation are complete,\n    accurate, and reflect only authorized purchases made in accordance with the\n    Federal Acquisition Regulation. These policies also require approving officials to\n    review monthly transactions for patterns that indicate purchases are being split to\n    avoid the micro-purchase limit. The approving official\xe2\x80\x99s review should also ensure\n    that sales taxes are not paid in accordance with GSA regulations and NSF policy.\n    The approving official is required to sign and date the cardholder\xe2\x80\x99s monthly\n    statement. However, NSF\xe2\x80\x99s policies did not prescribe when these reviews must\n    occur. Given that cardholders have 60 days to dispute transactions with JPMorgan\n    Chase, it is reasonable for the approving officials\xe2\x80\x99 review to take place within this\n    time period.\n\n\n\n\n5\n Some of these 37 cardholders had both transactions with no approving official review of the related bank\nstatement(s) and late approving official review.\n\n                                                    3\n\x0cBank activity reports and Merchant Category Codes were not reviewed.\nJPMorgan Chase provides the APC various exception reports on purchase card\nactivity, such as reports of lost or stolen cards, declined or blocked transactions, and\nreports containing detailed information on items purchased from certain vendors.\nNSF did not regularly obtain and review most of these reports. GSA SmartPay\nprogram recommends that the APC use bank electronic reports to monitor and track\npurchases to identify potential misuse and fraud. NSF\xe2\x80\x99s 2004 policy states that\nreviews and assessments of monthly administrative reports on the program is an\nAPC responsibility. Also, OMB Circular No. A-123, Appendix B Revised, dated\nJanuary 15, 2009, requires card managers to review account activity reports to\nidentify questionable or suspicious transactions.\n\nMerchant Category Codes (MCC) identify the vendor\xe2\x80\x99s business category, such as\ncomputer software stores, telecommunications services, restaurants, book stores,\netc. At the APC\xe2\x80\x99s request, JPMorgan Chase can block transactions with merchants\nwith specified MCC codes. Although MCC codes periodically change, before\nFebruary 2013 NSF had not reviewed its allowable and blocked codes since 2008.\n\nWe requested a list of blocked and allowable MCC codes and identified some codes;\nsuch as babysitting, massage parlors, dating and escort services, and veterinary\nservices; that should have been blocked but were not. It is important to note that we\ndid not identify any NSF purchases to any of these codes. The APC then reviewed\nthe list provided to us and directed JPMorgan Chase to immediately block these and\nother questionable MCC codes. NSF can reduce its risk of improper purchases by\nperiodically reviewing MCC codes and blocking purchases from vendors with codes\nthat do not relate to NSF\xe2\x80\x99s business needs.\n\n\n                                         4\n\x0c   Some electronic equipment purchased using the purchase card, such as iPads and\n   cameras, did not have inventory barcodes to be included in NSF\xe2\x80\x99s inventory system.\n   NSF\xe2\x80\x99s purchase card policy requires cardholders to report accountable property\n   purchases to the Division of Administrative Services (DAS) to arrange for\n   assignment of barcode stickers and to have the items logged into the NSF inventory\n   system. NSF\xe2\x80\x99s 2004 policy also requires the approving official to verify that the\n   accountable property has been inventoried. Furthermore, NSF\xe2\x80\x99s policy on property\n   management for accountable property, issued by DAS, requires items with\n   acquisition values under $2,500 considered to be sensitive or highly pilferable, such\n   as desktops and laptops, to be inventoried.\n\nWe identified four causes that allowed these internal control weaknesses to occur.\nFirst, NSF had not committed sufficient resources to monitor and oversee the purchase\ncard program. The APC, who is responsible for overseeing NSF\xe2\x80\x99s purchase card\nactivity, also had other competing time-sensitive job responsibilities, such as serving as\nContracting Officer for several contract awards. Second, in the majority of cases,\ncardholders and approving officials received informal training from the APC once, when\nthey were initially assigned cardholder and approving official responsibilities. This\ntraining was not provided annually despite being required by NSF\xe2\x80\x99s VISA Purchase\nCard Program Handbook and Training Manual. In August 2013, NSF developed new\nautomated training for both cardholders and approving officials. NSF required that this\nnew training be completed by December 2013. This change should improve\ncardholders\xe2\x80\x99 and approving officials\xe2\x80\x99 awareness of their responsibilities under the\nprogram.\n\nThird, some cardholders stated that they were not aware that sensitive or highly\nportable property, such as professional cameras and high-end audiovisual equipment,\nshould be barcoded because NSF\xe2\x80\x99s policy only required computers (laptops and\ndesktops) and Personal Digital Assistants (PDAs), including Blackberry cell phones, to\nbe barcoded. NSF\xe2\x80\x99s prior purchase card policy does not require barcoding of other\nsensitive or pilferable property, such as cameras and high-end audiovisual items.\nNSF\xe2\x80\x99s new 2013 Purchase Card Program Handbook and Policy Manual does state that\nthe cardholder should inventory equipment with acquisition values under $2,500\nconsidered to be sensitive or highly pilferable, and this Manual lists laptops, desktops,\nand PDA\xe2\x80\x99s. The DAS policy, Procedures for Property Management for accountable\nproperty, only lists desktops and laptops as examples of accountable property with\nacquisition values under $2,500. However, another DAS guidance document, the\nProperty Custodian Operational Handbook, which details property management roles\nand responsibilities, also includes iPads, iPhones, video cameras, and high-end\naudiovisual equipment on its list of sensitive and highly portable equipment to be\nbarcoded.\n\nFinally, some approving officials did not always ensure that departing cardholders\nsubmitted their purchase card records before they left the agency despite the 3-year\nrecord retention policy.\n\n\n\n                                            5\n\x0cAs of result of the conditions we identified, there was a risk that inappropriate or\nfraudulent transactions could occur and not be detected. We identified the following\ninappropriate purchases:\n\n          \xe2\x80\xa2   17 transactions totaling $32,503 made by 6 cardholders were split\n              purchases.\n          \xe2\x80\xa2   17 instances totaling $1,113 in which the purchase card was\n              inappropriately used to pay for transportation to airports for two officials\n              who were on temporary duty travel. SmartPay provides a separate travel\n              card program to be used for travel and travel-related purchases.\n          \xe2\x80\xa2   10 of the 43 cardholders tested paid $821 of sales taxes for 20\n              transactions tested.\n          \xe2\x80\xa2   Two instances in which cardholders did not fully resolve disputes of items\n              that NSF did not purchase. In one case, the cardholder failed to fully\n              resolve potential overcharges of $11,594 for computers that the\n              cardholder did not purchase.\n          \xe2\x80\xa2   Some electronic items purchased, such as music players and speakers,\n              appear to be of questionable business use or necessity.\n\nFurthermore, we referred purchase card transactions for three cardholders to OI for\ninvestigation of possible fraud. We did not test any transactions for two of these\ncardholders, so their transactions are not included in our results. As a result of one of\nthese investigations, one cardholder, whose purchases are not included in our results,\npleaded guilty on December 5, 2013 to fraudulently purchasing more than $94,000 of\nelectronics, music, and movies for himself and his family. For another cardholder, OI\ndetermined that the purchase investigated was not inappropriate. The remaining\ninvestigation is ongoing.\n\nDuring our audit, NSF made improvements in its oversight of the purchase card\nprogram, including issuing updated guidance in July 2013 and requiring cardholders\nand approving officials to annually complete a new online training course. NSF\nmanagement obtained a contractor to assist the APC to perform targeted reviews of\npurchase card activity. These improvements occurred after our period under audit and\ntherefore, we did not evaluate their effectiveness. However, a sustained commitment\nby management to strong oversight is needed to ensure purchase cardholders comply\nwith Federal regulations and agency policies, and to prevent and detect misuse of the\npurchase cards.\n\n\nRecommendations\n\n   1. The NSF Director should take appropriate actions to monitor and oversee the\n      purchase card program. Such actions should include:\n         \xe2\x80\xa2 Continuous monitoring of purchase card transactions, using available\n            JPMorgan Chase reports to identify transactions for additional review.\n\n                                             6\n\x0c         \xe2\x80\xa2   Ensuring approving officials are reviewing cardholders\xe2\x80\x99 transactions from\n             preapproval to bank statement reconciliation.\n         \xe2\x80\xa2   Reviewing MCC codes on a periodic basis to determine if additional codes\n             should be blocked.\n         \xe2\x80\xa2   Ensuring compliance with record retention policies for purchase card\n             activity.\n         \xe2\x80\xa2   Ensuring accountable property, including sensitive and highly portable\n             items, has been inventoried.\n\n   2. DACS should:\n        \xe2\x80\xa2 Coordinate with DAS to revise the NSF policy, Procedures for Property\n           Management for accountable property to include additional examples of\n           sensitive and highly portable items to be barcoded, and\n        \xe2\x80\xa2 Update the Purchase Card Program Handbook and Policy Manual and\n           training materials to be consistent with the revisions to the DAS policy.\n\n   3. The APC should ensure that cardholders and approving officials meet the new\n      annual training requirement.\n\n\nSummary of Agency Response and OIG Comments\n\nNSF concurs with the conclusions and recommendations. We have included NSF's\nresponse to this report in its entirety as Appendix A.\n\n\n\nOIG Contact and Staff Acknowledgements\nMarie Maguire \xe2\x80\x93 Director of Performance Audits\n(703) 292-5009 or mmaguire@nsf.gov\n\nIn addition to Ms. Maguire, Wendell Reid and Emily Franko made key contributions to\nthis report.\n\n\n\n\n                                          7\n\x0cAppendix A: Agency Response\n\n\n\n\n                         8\n\x0c9\n\x0cAppendix B: Objective, Scope and Methodology\nThe objectives of this performance audit were to determine the adequacy of NSF\xe2\x80\x99s\ncontrols over purchase cards and to identify possible improper charges. Our scope was\npurchase card controls and activity from April 1, 2010 through March 31, 2013.\n\nTo complete our objectives, we reviewed NSF and federal criteria to understand the\nrules governing the purchase card program; interviewed the APC, several cardholders,\nand several approving officials to gain an understanding of their procedures to oversee\nthe program, and make and approve purchase card transactions; utilized data obtained\nfrom JPMorgan Chase; and tested a risk-based sample of purchase card transactions\noccurring during our scope period.\n\nTo develop this risk-based sample, we developed 19 risk-based transaction tests at\nboth the transaction level and cardholder level to identify anomalies in purchase card\ndata that could indicate fraud or abuse. Examples of risk factors at the transaction level\nincluded:\n\n    \xe2\x80\xa2   purchases made on a weekend or holiday,\n    \xe2\x80\xa2   charges to merchant names or Merchant Category Codes that we suspected\n        may not be business-related,\n    \xe2\x80\xa2   suspect charges identified from the JPMorgan Chase report containing detailed\n        information on items purchased from certain vendors,\n    \xe2\x80\xa2   purchases in which only one NSF card holder did business with a particular\n        merchant,\n    \xe2\x80\xa2   purchases made through third party payers (such as Paypal), and\n    \xe2\x80\xa2   possible split purchases (multiple purchases by a cardholder to the same vendor\n        over a 2-3 day period that exceeded the $3,000 micro-purchase limit).\n\nExamples of risk factors at the cardholder level included: cardholders for whom the\napproving official\xe2\x80\x99s span of control6 exceeded four purchase cards, and cardholders who\nhad declined charges and/or lost/stolen card(s) during the audit scope period.\n\nWe assigned risk scores for each of the 19 attributes tested and calculated the total risk\nscore for all 34,300 purchase transactions made between April 1, 2010 and March 31,\n2013. Based on our review of the risk scores and number of cardholders with high risk\ntransactions, we tested 145 transactions with a total risk score above a certain level\nmade by 26 cardholders. In addition to the highest risk transactions for these 26\ncardholders, we manually reviewed and judgmentally selected 225 additional\ntransactions that appeared unusual. Therefore, we tested a total of 370 transactions for\nthese 26 cardholders.\n\n\n6\n The span of control is how many purchase card accounts an approving official is responsible for\noverseeing. Auditors considered purchase cardholders whose approving officials had a span of control\nexceeding four purchase card accounts as the riskiest.\n\n                                                  10\n\x0cWe also manually reviewed and judgmentally selected 102 other transactions for 15\nadditional card holders whose transactions did not score the minimum total level but\nappeared to be unusual. For example, we decided to test a cardholder with several taxi\npurchases in the hundreds of dollars, and a cardholder who was the sole purchaser for\na vendor with a specific merchant category. We also tested 36 of the transactions of\ntwo OIG cardholders, the results of which are included in this report. Therefore, we\ntested a cumulative total of 508 transactions, totaling $314,443, made by 43\ncardholders.\n\nWhen testing transactions, we interviewed cardholders and some approving officials\nabout the training received, physical security of purchase cards, and explanations for\nboth declined transactions and lost or stolen cards.\n\nAdditionally, we performed testing to determine if purchase cardholder accounts were\ncanceled on a timely basis when cardholders left the agency.\n\nWe met with OIG Office of Investigations (OI) throughout our audit to discuss our\nmethodology and findings. Prior to testing transactions, we shared with OI the results of\nour risk factor scores. OI identified two cardholders to examine for possible fraudulent\ntransactions. The purchases for these two cardholders are not included in our results.\nDuring our testing, we referred another cardholder to OI for possible investigation.\n\nDuring the course of this audit, we relied on information and data received from\nJPMorgan Chase in electronic format that had been entered into a computer system or\nthat resulted from computer processing. We tested the reliability of JPMorgan Chase\xe2\x80\x99s\ncomputer-processed data by matching transaction dates, transaction amounts, and\nvendor names against original source documents. We relied on NSF\xe2\x80\x99s data to test a\nlimited number of transactions for one cardholder. We performed limited testing of the\nreliability of this NSF data by corroborating some results with NSF officials independent\nof the computer system. Based on our assessment, we concluded the computer-\nprocessed data was sufficiently reliable to use in meeting the audit\xe2\x80\x99s objectives.\n\nWe reviewed NSF\xe2\x80\x99s compliance with applicable provisions of pertinent laws and\nguidance, including the:\n\n   \xe2\x80\xa2      GSA\xe2\x80\x99s SmartPay guidance,\n   \xe2\x80\xa2      Federal Acquisition Regulation,\n   \xe2\x80\xa2      Office of Management and Budget Circular No. A-123, Appendix B Revised,\n          dated January 15, 2009,\n   \xe2\x80\xa2      National Archives and Records Administration\xe2\x80\x99s record retention regulations,\n   \xe2\x80\xa2      Treasury Financial Manual, and\n   \xe2\x80\xa2      NSF\xe2\x80\x99s VISA Purchase Card Program Handbook and Training Manual and the\n          VISA U.S. Government Purchase Card Guidance for Approving Officials,\n          dated February 2004.\n\n\n\n\n                                           11\n\x0cWe identified several instances of noncompliance with these laws and regulations, as\ndiscussed in our audit finding.\n\nThrough interviewing NSF staff and reviewing documentation, we also obtained an\nunderstanding of the management controls over the purchase card program. We\nidentified several internal control deficiencies which we discuss in our finding and\npotential instances of fraud, illegal acts, violations, or abuse, which we referred to our\nOffice of Investigations.\n\nWe conducted this performance audit between January 2013 and December 2013 in\naccordance with generally accepted government auditing standards. Those standards\nrequire that we plan and perform the audit to obtain sufficient, appropriate evidence to\nprovide a reasonable basis for our finding and conclusions based on our audit\nobjectives. We believe that the evidence obtained provides a reasonable basis for our\nfinding and conclusions based on our audit objectives.\n\nWe held an exit conference with NSF management on December 12, 2013.\n\n\n\n\n                                             12\n\x0c"